2017-07-21 - BOLETO MALSPAM - SUBJ: ENVIO DE BOLETO - URGENTE - AXECAPITAL

ASSOCIATED FILES:

  • 2017-07-21-Boleto-malspam-infection-from-PDF-attachment.pcap   (3,391,724 bytes)
  • 20072017008184910142830132981348292017.pdf   (46,878 bytes)
  • 20072017008184910142830132981348292017.vbs   (2,678 bytes)
  • 2017-07-21-0830-UTC-Boleto-malspam.eml   (64,604 bytes)
  • 2017-07-21-Boleto-malspam-artifacts-information.csv   (2,127 bytes)
  • ANDRELLY-PC.aes   (16 bytes)
  • ANDRELLY-PC.zip   (3,283,290 bytes)
  • ANDRELLY-PCx.ocx   (384 bytes)
  • Ionic.Zip.Reduced.dll   (253,440 bytes)
  • SYSANDRELLYPC55.xml   (3,380 bytes)
  • c.cer   (905 bytes)
  • crov.exe   (1,690,096 bytes)
  • dll.dll.exe   (396,480 bytes)
  • niljxqjz.g3t.vbs   (118 bytes)
  • ps.exe   (452,608 bytes)
  • rff5waw2.4w2.vbs   (136 bytes)
  • taskmgrs.exe   (2 bytes)

NOTES:

 

EMAIL


Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

 

ATTACHMENT


Shown above:  Link from the PDF attachment downloads a VBS file.

 


Shown above:  The downloaded VBS file.

 

TRAFFIC


Shown above:  Traffic from this infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

MALWARE

PDF ATTACHMENT:

DOWNLOADED VBS FILE:

 

ARTIFACTS

SOME ARTIFACTS FOUND ON THE INFECTED (WINDOWS 7) HOST:

 

IMAGES


Shown above:  Some of the unencrypted IRC traffic noted over TCP port 443.

 

FINAL NOTES

Once again, here are the associated files:

Zip files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.